The Page.ViewStateUserKey property is not assigned in Page.OnInit or the Page_Init method.
When designing an ASP.NET Web Form, be mindful of cross-site request forgery (CSRF) attacks. A CSRF attack can send malicious requests from an authenticated user to your ASP.NET Web Form.
One way of protecting against CSRF attacks in ASP.NET Web Form is by setting a page's ViewStateUserKey to a string that is unpredictable and unique to a session. For more information, see Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks.
How to fix violationsSet the ViewStateUserKey property to a unpredictable and unique string per session. For example, if you use ASP.NET session state, HttpSessionState.SessionID will work.
When to suppress warningsIt's safe to suppress a warning from this rule if:
If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.
#pragma warning disable CA5368
// The code that's violating the rule is on this line.
#pragma warning restore CA5368
To disable the rule for a file, folder, or project, set its severity to none in the configuration file.
[*.{cs,vb}]
dotnet_diagnostic.CA5368.severity = none
For more information, see How to suppress code analysis warnings.
Pseudo-code examples Violationusing System;
using System.Web.UI;
class ExampleClass : Page
{
protected override void OnInit (EventArgs e)
{
}
}
using System;
using System.Web.UI;
class ExampleClass : Page
{
protected override void OnInit (EventArgs e)
{
// Assuming that your page makes use of ASP.NET session state and the SessionID is stable.
ViewStateUserKey = Session.SessionID;
}
}
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4